What is IAST?
Interactive Application Security Testing is a special procedure to improve the security of web applications. The scanner observes the behavior of the application in real time. This concept is considered very reliable.
The English vocabulary “Interactive Application Security Testing” (IAST) freely translated means “interactive testing of the security of applications”. Specifically, these are scanners that monitor the behavior of the relevant apps in real time. This live character is underlined by the “interactive”.
When testing the applications, the scanners analyze what is happening from the outside ( runtime , configurations, etc.) as well as from the inside (lines of code). IAST is a white box process because the code is accessible to the scanners.
The differences between IAST and SAST and DAST
Interactive application security testing is basically a hybrid of static ( SAST ) and dynamic security tests ( DAST ). SAST scanners focus on the code and are used at an early stage in development. DAST tools simulate attacks on running applications. You therefore only work later in the development cycle.
Actually, these tasks cannot be covered by one solution, since the attack routines intended for external attacks would work in the system. In order to cover these functions together, IAST tools work with software agents and sensors. The approach is therefore somewhat different than with SAST and DAST.
Looking at the code, the sensors report whether the execution of the lines deviates from the expected behavior. In the static analysis, the scanners look for known patterns in the code that indicate weak points. For the external area, the Interactive Application Security Testing works in principle in the same way: software agents evaluate the behavior of the application in certain automated test situations. Dynamic tests are simulated attacks that are carried out from the outside.
IAST can be used in development as well as in the quality assurance and test phase. Often it is also used subsequently for the further development of existing applications. The IAST’s different approach results in certain advantages and disadvantages compared to SAST and DAST.
Advantages of IAST compared to DAST and SAST
- Results are delivered in real time. DAST scanners in particular take a long time to complete their analyzes.
- IAST tools have a very low false positive rate. SAST tools often struggle with this problem.
- No expert knowledge is required to use the scanners. DAST tools are written by specialists and can only be changed by them.
- The solutions are highly scalable.
- Testing can be largely automated – including reporting.
- Existing test cases can be used multiple times. There is no need to write new scripts.
- Many errors are found at an early stage, which is why the costs of troubleshooting are reduced.
- Because the code is accessible, IAST scanners can often reveal why there is a problem. DAST solutions cannot.
- IAST analyzes do not interfere with other processes. Applications can be used normally.
Disadvantages of IAST compared to the other concepts
Many experts are of the opinion that IAST solutions have no disadvantages at all compared to the other concepts. They have no significant weaknesses. However, this is not correct. These instruments also have to contend with some problems:
- The depth of analysis is less than with SAST and DAST in order to provide real-time results.
- The scanners take longer to train to detect new threats.
- The IAST solutions require a high degree of customization. For example, this applies to the scanners that report unexpected behavior of code while it is running.
IAST is the final piece of the puzzle – but not the whole picture
Anyone who reads the advantages of Interactive Application Security Testing quickly develops the idea that this procedure is sufficient for the security tests. After all, it covers all fields and works reliably. However, this is not the case due to the reduced depth of analysis and the delays before the scanners can detect new threats. IAST tools are the last (and often the most important) piece of the puzzle for optimizing the security of a web application. SAST and DAST should also be used.